A new standalone Cybersecurity Act that will be tabled in the Singapore Parliament next year may require the city state’s critical information infrastructure operators to report cybersecurity breaches, giving the country’s security watchdog more teeth, a legal expert says.
The bill will ensure that operators take proactive steps to secure Singapore’s critical information infrastructure, and report incidents. “We believe the steps may relate to mandatory reporting obligations, which may be imposed under the new Cybersecurity Act,” Andy Leck, managing principal of Baker & McKenzie.Wong & Leow in Singapore, told Asia Business Law Journal. “Currently, the Computer Misuse and Cybersecurity Act [CMCA] does not mandate the reporting of a cybersecurity breach.”
The Singapore government’s renewed focus on cybersecurity is a response to the growing threat of cyber attacks. In 2015, a hacker by the name of James Raj Arokiasamy was jailed after pleading guilty to 39 charges of computer misuse, including hacking into the webservers of a charitable foundation and a town council, and hacking into a company’s database to steal confidential banking information. In 2014, the database of a local karaoke company was hacked, resulting in the personal details of more than 300,000 individuals being leaked online.
“Cybercrime in Singapore is on the rise. For example, police statistics show that offences reported under the CMCA have increased by more than 60%, from 169 cases in 2013 to 278 cases in 2015,” said Leck.
In defining the steps that operators should take, the Singapore government may consider the reporting regime that presently applies to the finance sector. “Financial institutions regulated by the Monetary Authority of Singapore are required to notify the authority of any IT security incident within an hour of its discovery. Within 14 days, a detailed report must be furnished to the authority,” said Leck.
The new bill will also empower the Cyber Security Agency of Singapore (CSA) to manage cyber incidents and raise the standards of cybersecurity providers in Singapore. Leck said the CSA might be vested with the authority to direct other individuals or organizations to take necessary measures to prevent cyber-security threats.
The CSA is already co-ordinating cross-sector responses and working closely with critical sectors to conduct cyber-security exercises and assess vulnerabilities. Leck said it is well positioned to effectively manage responses to cyber incidents across key sectors.
In April 2015, the CSA was formed to coordinate public and private-sector efforts to protect national systems from cyber threats.